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ABSTRACT 


The  military  has  an  Increasing  need  for  a  data  base 
ranaroment  system  (nBMr>)  supporting  many  users  of 
difforinp  clearances  and  a  larpc  collection  of  data  havinp 
differing  c 1  as s I f i ca t i nns .  Such  a  multilevel  access  DBMS 
would  allow  maximum  utilization  of  computer  resources 
while  avoiding  the  p\aintonance  of  multiple  copies  of  tl-e 
same  data  op  multiple  data  base  mannpcp’ent  syster's  for 
restricted  user  groups.  Mowcvor,  the  lac!  of  effective 
security  controls  in  today's  computer  systems  preclude  a 
truly  secure,  multilevel  access  PBf'd.  This  paper 

discusses  the  urdrrlyinr  prohlepi  in  construction  a  DPf'P 
which  provides  for  security  and  multilevel  access  and  then 
outlines  a  promising  approach  wh I ch  the  * i r  Torce  is 
ptirsuinr  to  solve  t^e  prohlep-. 
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FORWARD 


Tills  paper  wos  produced  for  and  presented  to  the  Air 
Torce  Academy's  Fourth  Annual  World  Wide  Data  Rase 
Management  System  Symposium  held  29-30  'January  1974  at  the 
A i r  Force  Academy.  A1 thoupb  the  paper  addresses  security 
cons! derat ions  within  data  base  manaeement  systems,  these 
considerations  apply  to  a  broader  class  of  computer 
systems  Includlnp  operatlnp  systems. 
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! n t  ro^uc  t i on 


!  . 


Vi  th  tt  e  current  s  Ira  to -of  -  the- or  t,  r.  data  h  ns  e 
mannpement  system  (r'Pf*'>)  cannot  provide  effective  security 
controls  over  nrcess  to  the*  lnforrntlor  in  the  system. 
Ueanwhile,  the  military  urpertly  requires  a  secure 
"multilevel"  PPMJI  --  c.apah  1  e  or  supportinp  data  find  use^s 
hnvirp  multiple  c.1  ass I f I ca t ions  .and  clearances 
respectively.  Unfortunately,  the  ineffective  security  of 
current  systems  frequently  prohibits  tKe  mi  1 i tarv  from 
efficiently  utilizing  its  computer  resources  and  prevents 
achievement  of  operational  capabilities  roquirlnr 
controlled  sharlnp  of  data.  however,  the  required 
technology  is  row  heirp  developed  to  overcome  these 
deficiencies. 

pverv i ew 

Tills  paper  examines  the  exist  irp  inadequacies  and  how 
to  provide  a  solution.  r'a  r  t  II  oxelrips  '••h  y  currrrt  data 
base  management  systems  do  not  have  effective  multilevel 
access  controls,  wh  i  1  *  Part  III  describes  tl’P  need  for 
^  a  t  o  base  manapement  systems  that  combine  security  arid 
multilevel  access.  Part  IV  identifies  nr/I  describes  three 
areas  of  cons  I df rat i or  in  providing  secure  computer 
systems.  Port  V  outlines  the  technolopy  currently  btinp 
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developed  by  the  A! r  Force  which  will  lead  to  secure 
computer  systems  which  will  support  a  DBMS  with  effective 
information  protection. 

It.  Why  Current  Security  Controls  are  Ineffective 

The  current  1  act'  of  effective  secur!  ty  controls 

for  multilevel  access  computer  system?  Is  primarily  due 
to : 


1)  The  Inability  of  humans  to  understand  the 
proprams  which  they  write.  no radoxi ca 1 1 y  we  cannot 
determine  exhaustively  all  the  possible  states  attainable 
by  proprams  of  consequence,  despite  the  fact  that  these 
proprams  operate  on  a  deterministic  automaton  --  the 
computer.  In  particular,  we  are  unable  to  establish  that 
access  control  proprams  will  not  In  fact  nermi t 
unauthorized  access.  Because  of  our  lack  of  fundamental 
techniques  for  Insuring  the  correct  operation  of 
substantial  proprams,  we  have  been  unable  to  dove  Ion  a 
op.rm  (or  any  other  proprammed  system)  that  enforces  anv 
mcanlnpful  security  policy,  even  t'  e  simplest.  This  Inch 
of  fundamental  controls  is  not  just  a  theoretical 
weakness,  luit  past  attempts  (at  major  expense)  <A72>  have 
repeatedly  and  consistently  demonstrated  the  futility  of 
the  current  ad  hoc  techniques. 
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2)  The  feet  that  the  security  practices  and 
policy  for  computer  systems  do  pot  have  r  sound  technical 
•'asis.  They  ore  adaptions  of  practices  and  yui  dance 
dcsif.red  for  rnmial  systems;  the  result  inf  techniques  ore 
i  noppropri  o  te,  norf unc t i ona  1  or  ever  coup  ter  produc  t  i  ve . 

As  o  result,  mectinr  oil  the  security  repulntions  provides 
little  assurance  tl'ot  n  cr^piiter  system  i  r  fact  has 
meaninrful  security.  "iicrp  is  a  retd  for  prrctices  on' 
policy  that  rrcopnlzr  tie  inlerrnt  inadequacies  of 
contemporary  systers,  ,‘‘ut  nt  the  sore  t  i  "c  provide  for 
application  of  technology  that  provides  the  forms  of 
security  that  art'  necessary  within  data  hast  menaforcnt 
s  ys  t ems . 

ill.  Tie  Poet1  for  a  Secure  Multilevel  Access  Capability 

In  spite  of  the  weaknesses  of  current  systems,  there 
is  an  urrent  need  cor  effective  security  in  military 
computers.  Tl c  military  can  derive  significant  economic 
benefits  f rnr  a  secure  multilevel  access  capability  and, 
add  1  t  i  on.i  1  1  v,  oh  tel  r  major  Inprovemcn  ts  in  operational 
capability  throurh  the  attendant  controlled  lata  c>arlnr 


ca  pah  i  1  i  t  y . 


Tconomi c  Bcncf j ts 


The  lirltations  of  current  systems  result  In  major 
additional  costs  that  could  he  avoided  by  use  of  systems 
with  effective  Internal  controls.  In  order  to  provide 
security  for  a  PHM5  (and  other  applications^,  currently 
the  military  must  Insure  that  all  users  are  cleared  to  a 
level  that  authorizes  each  user  to  access  any  data  in  the 
DBMS.  This  simple  level  access  capability  can  be  achieved 
by : 


1)  limiti nr  the  users  to  those  who  have 
sufficient  clearance  to  access  any  data  in  the  PPMS  --  in 
particular,  the  most  hlrhly  classified  Information. 

2)  limiting  the  data  to  that  classification 
which  all  users  are  permitted  to  access  --  determined  by 
the  I ndividual (s)  with  the  least  clearance. 

Borne  of  the  wasteful  consequences  of  usinr  one  or 
both  of  the  above  methods  to  provide  security  are: 

1)  The  military  must  obtain  unnecessarily  hirh 
clearances  for  the  nPMS  users.  Mo't  only  Is  this 
expensive,  but  also  It  increases  the  risk  of  compromise 
through  subversior  or  personnel  whose  duties  do  not 
actually  require  access  to  the  hlrhly  classified 
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information  i  r  the  HOPf. 


2)  ti,(>  n'vif,  requires  a  dedicated  computer 

system.  I  f  the  user  cnrnunl  tv  is  snail  and  t  h  o  data  !>ase 
lame  and  highly  classified,  computer  resources  are 
wasted.  rven  v/hen  several  groups  share  a  computer  system 
by  mal  log  tl'e  system  available  to  each  "roup  fnr  a  limited 
period  of  tine,  waste  of  computer  resources  results 
because  of  the  time  and  the  "sari ti 2 1  nr"  procedures  to 
switch  the  computer  system  from  one  user  "roup  to  another. 

M  ni"id  controls  are  placed  or  the  environment 
of  the  computer  system  including  remote  terminals.  A 
computer  system  maintaining  highly  classified  data 
requires  heavy  guard  irp.  Ml  rerote  perinherals  require' 
dedicated  and  protected  communication  lines  to  tl'e  central 
site  or  cryptograph i c  techniques  or  both;  this  is 
absolutely  essential  even  for  terminal  devices  used  only 
for  nominally  unclassified  processing. 

'lajor  economic  henefi  ts  can  be  obtained  by  avoiding, 
these  brute  force  approaches.  It  has  been  estimated  that 
use  or  these  methods  to  provide  secure  computer  systems 
currently  costs  the  Air  Torce  alone,  *100,000,000  annually 
<  A  7  2  >  . 
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Controlled  Oat  a  .Sharing 


In  addition  to  economic  considerations,  a  DBMS  having 
a  secure  multilevel  access  capability  provides  the  data 
sharing  capability  necessary  to  satisfy  important 
operational  requirements.  A  DBMS  may  support  many  usi rs 
Involved  In  many  tasks.  Although  two  users  may  require 
access  to  two  different  sets  of  data  (wl th  information  of 
various  classifications),  the  intersection  of  the  two  sets 
of  data  may  be  non-null,  even  though  the  users  have 
different  clearances. 

As  an  example  consider  an  inventory  control  system. 
One  item  of  information  or  this  system  may  reflect  that  an 
order  has  been  placed  for  jet  fuel.  f'umerous  procurement 
and  financial  management  personnel  may  have  access  to  this 
information  to  prepare  various  account!  rg  entries  to  pay 
the  supplier  and  charge  the  cost  against  the  appropriate 
funds  citation.  Typically,  these  functions  would  be  in 
non-secure  areas  and  some  of  the  personnel  would  be 
unci ea  rab 1 e. 

In  this  example  a  cleared  supply  officer  needs 
current  access  to  the  same  order  to  know  that  the  fuel  has 
been  ordered  and  its  scheduled  delivery  date  so  that  he 
may  determine  the  available  supply  and  plan  the  deployment 


of  the  fuel  to  various  cop'hat  or gar i  m  t  i ons .  The  supplv 
officer  must  also  nut  into  the  system  thn  de  nl  oymr  r  t 
information  which  will  he  reflector1  as  a  consumption  of  a 
portion  of  the  supply.  This  deployment  information  is 
much  more  sensitive  than  the  procurement  information, 
since  an  enemy  could  assign  priorities  to  target 
installations  based  on  the  deployment  of  the  fuel  to  the 
installations  and  ir  combat  situations  could  forecast 
attacks  If  he  had  access  to  the  distribution  information. 

A  rop temporary  nnMf'  without  effective  security 
cepah ? 1 i t ? rs  could  pot  satisfy  an  operational  requirement 
for  the  example  system.  °n  tl-e  other  hand,  if  the 
invontory  control  system  in  tl,r  above  exemnle  provided 
secure  multilevel  access,  the  system  could  net  the 
following,  operational  noods: 

1)  Opiy  the  supply  officer  would  ncH  a  high  level 
clearance'.  The  procuri-mcri t  and  financial  personnel  have 
no  need- to-kno\.<  (nor  clearance)  for  the  classified  fuel 

I  i  s  t  r  i  I  u t  i  oil  info  rma  t  i  o  n  . 

2)  rach  remote  access  peripheral  could  have  an 
associated  classification  which  limits  the  data  that  may 
be  entered  or  retrieved  ,i  the  peripheral.  The  supply 
orf icer  v m  ml  d  require  cecured  communication  lines. 
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However,  the*  nroru  r  pnrn  t  and  financial  personnel  In  the 
non-speure  area  could  access  the  system  over  commercial 
tel ephoro  1  I nes . 

In  summary,  the  benefits  of  a  multilevel  access  DRMr 
ore  economy  of  ororatinr  and  the  ability  to  have 
controlled  data  sharing  anonr  users. 

IV.  Tons  1  derat  i  oris  in  Providing  fffcctive  Security 

To  provide  effective  security  in  a  multilevel  access 
computer  system,  there  are  three  areas  of  cons i dor a t i on : 

1.  hardware  security 

2.  procedural  security 

3.  programmed  security. 

Hardware  Secur i tv 

The  computer  hardware  Is  t hi e  foundation  of  any 
computer  system  and  is  also  the  basis  for  security  within 
the  system.  The  pro Trammed  security  controls  wi 1 1  roly  on 
the  integrity  of  the  hardware  design  (the  ability  of  the 
hardware  to  perform  as  specified)  and  the  hardware 
reliability  (affected  by  the  reliability  of  the  Individual 
electronic  components). 

‘rhc  currently  available  technology  for  secure  systems 
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(discussed  In  Part  V  hplow)  require  securitv  controls 
that  would  he  prohibitively  costly  to  Implnrent  ir 
software.  Txanples  of  hardware  needed  for  security  are 
address  mapnlnp  (sopmrnted  virtual  rspenry  hardware). 
Multiple  protection  states  (e.r.  protection  rlnps  <r.72>), 
and  privl  loped  instructions.  The  correct  operation  of 
these  furctlons  is  essential  to  security. 

fppi ri cal  observations  indicate  that  relative  to  the 
other  considerations  of  security,  hardware  deslp.n 
integrity  and  reliability  are  within  acceptable  limits. 

Procodiir  a  1  Pecu  r i  tv 

procedural  security  considerations  are  concerned  with 
threats  to  security  perpetrated  from  outside  the  computer 
system.  °rocedural  security  Issues  Include: 

1)  protectinp  the  computer  site. 

?.)  securinp  comruin  i  ca  1 1  on  lines  and  avoldlnp 
otKer  types  of  electronic  eavesdroppl np. 

3)  protectinp  data  retained  on  removable  media, 
such  as  cards,  tapes,  printer  llstlrps,  and  possibly 
disbs. 


h)  identifyinp  the  user  of  the  system. 
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f'any  of  the  issues  of  procedural  security  do  not 
directly  involve  the  designer  (e.g./  1  ard  2  above), 

however/  the  PBl'S  designer  should  he  aware  of  procedural 
security  aspects  because  the  P3MS  could  facili  trite  some 
issues  of  procedural  security  (e.g./  3  and  4  above).  The 
PPf'S  should  insure  that  data  stored  on  the  ren'ovahle  media 
retain  their  classification.  For  example/  perhaps  each 
page  of  a  line  printer  listing  should  contain  a 
classification  heading  appropriate  for  the  data  appearing 
on  that  page.  However/  the  PRMS  designer  cannot  control 
who  will  receive  that  listing. 

Programmed  Secur 1  tv 

Programmed  security  Is  concerned  with  the  controls 
provided  by  the  PP.H5  programs  to  prevent  unauthorised 
access  to  the  information  maintained  by  the  PRMS.  The 
inadequacy  of  programmed  security  controls  Is  the  primary 
reason  that  existing  data  base  management  systems  arc 
insecure.  Penetration  studies  have  demonstrated  that 
circumventing  programmed  security  controls  Is  a  most 
viable  method  for  unauthorized  access  --  successful 
attacks  are  repeatable  and  nearly  always  undetectable 
<M2,  K74>.  Programmed  security  cortrols  are  of  the 
utmost  concern  to  the  DRMS  designer. 
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Ir  providing  security  within  the  PP.MS  program,  the 
I’oa  1  is  to  proviso  certifiable  securitv.  Per  certifiable 
security,  one  must  provide  a  convincing  deductive 
demons trat ion  which  guarantees  that  (ever  with  the  aid  of 
the  complete  D R f * °  program  listing  and  documentat ion)  no 
user  can  obtain  access  to  data  for  which  lie  does  not  have 
sufficient  authorization.  Without  th i s  demons tra ti cn  of 
security,  a  PRM$  cannot  bo  judged  to  provide  effective 
security.  The  next  section  will  outline  an  approach  for 
providing  certifiable  security  for  military  computer 
systems . 

V.  Toward  A  Secure  Computer  System 

The  directorate  of  Information  Systems  Technology  of 
the  Hectronic  °ystems  division  (rSn)  at  I.  0.  Monscom 
field  has  omharbed  on  a  development  program  <r73>  leading 
to  a  prototype,  secure  multilevel  access  computer  system. 
Although  the  plan  considers  all  three  aspects  of  security 
<B73,  f’74>  discussed  above,  programmed  security  v/I  1  1 
receive  major  considerations. 

Approach 

The  rSP  development  program  recognizes  that  security 
must  be  an  Important  initial  consideration  of  any  of 
computer  system  design.  In  order  to  provide  a  secure 
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des I pn  one  must : 


1)  precisely  define  security  In  a  way 
meaningful  for  computer  operations  and  const  st°nt  wi  th 
military  security  directives  <D72>.  This  results  In  a 
model  of  security  requirements.  This  Is  a  very  Important 
step  since  this  model  precisely  defines  what  "secure" 
means.  In  particular  for  purposes  of  certifying  that  tie 
system  1 s  "secure" . 

2)  specify  a  set  of  rules,  based  or  the  model, 
which  determine  whether  a  request  by  a  program  to  access 
data  will  bo  allowed.  Since  these  rules  are  derived 
directly  from  the  model,  they  will  maintain  security;  they 
are  embodied  In  what  has  been  called  a  "reference  monitor" 
<A  72  > . 

3)  establish  a  set  of  rules,  again  based  on  the 
model,  for  granting  and  possibly  retracting  permission  for 
users  to  access  certain  data.  Again  these  rules  wl  1 1 
maintain  security  according  to  the  definition,  and  arc 
part  of  the  reference  monitor. 

4)  establish  a  methodology  for  proving  that  a 
DBMS  using  the  resulting  reference  monitor  precisely 
Implements  the  above  definition  and  rules.  This  is  the 
certification  procedure. 
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The  nos t  difficult  of  Che  above  four  casks  is  Che 


lasC.  In  order  Co  sinpllfy  the  task  of  cerhifylnp  Che 
desipn,  Schell  et  al  <S73>  advocate  centrallzinp  all  Che 
primitive  security  controls  of  the  system  into  a 
wol 1 - def I  red  "security  kernel".  This  security  kernel  is 
based  on  application  of  the  ^ollowlnp  principles  In  the 
desirn  and  implementation  of  Che  security  controls,  (viz., 
the  reference  monitor): 

1)  complete  mediation  -  The  security  controls 
must  be  invoked  on  each  attempted  access  to  the  data 
objects  of  the  system.  The  system  must  provide  the 
security  controls  with  a  non-fo rpenb 1 e  identity  of  the 
user  attempting  the  access  (see  Fipure  1). 

2)  Isolation  -  The  programs  and  -lata  needed  to 
Implement  the  security  controls  must  he  tamper-proof . 
nther  programs  must  not  be  able  to  alter  the  programs  and 
data  which  implement  the  security  controls. 

3)  simplicity  -  The  proprams  implementinp  the 
security  controls  must  he  simple  and  easily  understood  in 
order  to  certify  that  they  Implement  the  security 
functions  derived  from  the  formal  model.  The  depree  of 
difficulty  in  provinp.  proprams  increases  rapidly  (perhaps 
exponentially)  with  the  complexity  of  the  propran. 
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OBJECTS 

FILES, 
PROGRAMS, 
SEGMENTS, 
REGISTERS, 
I/O  DEVICES. 


ACCESS  REFERENCE 

REQUEST  MONITOR 


ACCESS 

GRANTED 


V 


REFERENCE  MONITOR 
AUTHORIZATION 
DATA  BASE 

CLEARANCES, 
CLASSIFICATIONS, 
FORMAL  COMPARTMENTS 
NEED-TO-KNOW 


THE  REFERENCE  MONITOR  AND  ACCESS  REQUESTS 


FIGURE  I 


Techniques  such  as  h 1 nck-o r i en ted  higher  level  languages 
and  structured  programming  can  be  used  to  reduce 
compl ex i ty . 

Current  Status 

For  about  two  years  FSP  has  been  pursuing  the  above 
approach,  althourh  the  Air  Force  has  committed  only 
United  resources  to  this  propram.  Specific  efforts  of 
the  developncnt  program  now  under  wav  Include: 

1)  Fornal  f'odels.  This  effort  involves  the 
development  of  a  mathematical  model  of  the  Pepartment  of 
Pefense  Information  security  requl  ren'.en  ts  which  can  apply 
to  computer  systems.  This  model  <BI73,  1.B73,  U74> 
precisely  defines  security  one!  presents  a  set  of  rules  for 
both  fronting  access  to  data  and  passing  authority  to 
access  data.  The  model  ts  accompanied  by  formal 
mathematical  proofs  that  these  rules  maintain  security. 

2)  Technical  Feasibility  Pemons tra 1 1  on .  This 
demonstration  Is  based  on  the  Implementation  of  a 

ml n 1 -cornu  ter  based,  secure  multi -across  computer  system 
<$73>.  The  approach  taken  in  the  Implementation  of  the 
reference  monitor  for  this  system  Is  the  security  kernel 
approach.  The  security  kernel  monitors  and  passes 
judgement  on  all  attempted  accesses  to  data,  and  the 
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mathematical  model  Is  the  basis  for  the  security  controls 
provided.  The  security  kernel  provides  all  security 
related  functions  and  only  those  functions. 

Under  the  securl ty  kernel  approach/  the  securl ty 
functions  are  Isolated  from  application  programs,  the 
DBMS/  and  much  of  what  Is  typically  the  opera  tin?:  system. 
The  security  kernel  Is  distinct  from  the  operating  system 
and  the  operating  system  cannot  affect  the  security  of  the 
system  (see  Figure  2). 

Potential  direct  applications  of  this  ml  nl -compu  ter 
based  security  kernel  Implementation  Include  a  front-end 
processor  for  a  large  computer  system  and  a  foundation  for 
a  secure  DBMS. 

3)  Prototype  Secure  DBMS.  The  feasibility 
demonstration  ml n 1 -compu ter  Is  being  used  to  Implement  a 
set  of  tools  for  constructing  a  secure  special-purpose 
DBMS.  The  security  of  this  DBMS  Implementation  Is 
dependent  on  the  use  of  the  security  kernel  as  a 
foundation.  Fxtenslons  to  the  mathematical  model  and  the 
security  kernel  will  provide  tools  to  algorithmically 
downgrade  and  extract  selective  data  from  a  classified 
data  base  <M74>. 
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THE  SECURITY  KERNEL  IN  PERSPECTIVE 


FIGURE  2 
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VI .  Summary 


The  purpose  of  this  paper  was  to  gi ve  the  reader  on 
awareness  of  thp  fundamental  Inadequacy  of  current  data 
base  management  systems  (and  computer  systems  In  general) 
for  effective  security  controls,  and  to  briefly  describe 
the  approach  and  progress  of  the  Air  Force  program  for 
applying  advanced  technology  to  provide  adequate  security. 

The  major  considerations  of  this  program  are: 

1)  Total  system  security  requires  the 
cons l dera 1 1  on  of  hardware,  program,  and  procedural  Issues. 

?)  Security  must  be  designed  into  any  computer 
system  rrom  the  outset. 

3)  Tonputer  system  security  controls  must  be 
based  on  a  precise  model  of  military  security 

requi rements . 

4)  Programmed  security  controls  must  be 
demonstrably  complete  and  tamperproof  a  priori. 
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